keymat: Call TKM Isa_Create procedure
[strongswan.git] / src / charon-tkm / src / tkm / tkm_keymat.c
1 /*
2 * Copyrigth (C) 2012 Reto Buerki
3 * Copyright (C) 2012 Adrian-Ken Rueegsegger
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <daemon.h>
18 #include <sa/ikev2/keymat_v2.h>
19 #include <tkm/constants.h>
20 #include <tkm/client.h>
21
22 #include "tkm.h"
23 #include "tkm_utils.h"
24 #include "tkm_diffie_hellman.h"
25 #include "tkm_keymat.h"
26
27 typedef struct private_tkm_keymat_t private_tkm_keymat_t;
28
29 /**
30 * Private data of a keymat_t object.
31 */
32 struct private_tkm_keymat_t {
33
34 /**
35 * Public tkm_keymat_t interface.
36 */
37 tkm_keymat_t public;
38
39 /**
40 * IKEv2 keymat proxy (will be removed).
41 */
42 keymat_v2_t *proxy;
43
44 /**
45 * IKE_SA Role, initiator or responder
46 */
47 bool initiator;
48
49 };
50
51 METHOD(keymat_t, get_version, ike_version_t,
52 private_tkm_keymat_t *this)
53 {
54 return IKEV2;
55 }
56
57 METHOD(keymat_t, create_dh, diffie_hellman_t*,
58 private_tkm_keymat_t *this, diffie_hellman_group_t group)
59 {
60 return lib->crypto->create_dh(lib->crypto, group);
61 }
62
63 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
64 private_tkm_keymat_t *this)
65 {
66 return lib->crypto->create_nonce_gen(lib->crypto);
67 }
68
69 METHOD(tkm_keymat_t, derive_ike_keys, bool,
70 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
71 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
72 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
73 {
74 chunk_t * const nonce = this->initiator ? &nonce_i : &nonce_r;
75 const uint64_t nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce);
76 if (!nc_id)
77 {
78 DBG1(DBG_IKE, "unable to acquire context id for nonce");
79 return FALSE;
80 }
81
82 tkm_diffie_hellman_t * const tkm_dh = (tkm_diffie_hellman_t *)dh;
83 const dh_id_type dh_id = tkm_dh->get_id(tkm_dh);
84
85 nonce_type nonce_rem;
86 u_int64_t spi_loc, spi_rem;
87
88 if (this->initiator)
89 {
90 chunk_to_sequence(&nonce_r, &nonce_rem);
91 spi_loc = id->get_initiator_spi(id);
92 spi_rem = id->get_responder_spi(id);
93 }
94 else
95 {
96 chunk_to_sequence(&nonce_i, &nonce_rem);
97 spi_loc = id->get_responder_spi(id);
98 spi_rem = id->get_initiator_spi(id);
99 }
100
101 key_type sk_ai, sk_ar, sk_ei, sk_er;
102 DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, "
103 "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem);
104 /* Fake some data for now */
105 if (ike_isa_create(1, 1, 1, dh_id, nc_id, nonce_rem, 1, spi_loc, spi_rem,
106 &sk_ai, &sk_ar, &sk_ei, &sk_er) != TKM_OK)
107 {
108 DBG1(DBG_IKE, "key derivation failed");
109 return FALSE;
110 }
111
112 if (this->proxy->derive_ike_keys(this->proxy, proposal, dh, nonce_i,
113 nonce_r, id, rekey_function, rekey_skd))
114 {
115 tkm->chunk_map->remove(tkm->chunk_map, nonce);
116 if (ike_nc_reset(nc_id) != TKM_OK)
117 {
118 DBG1(DBG_IKE, "failed to reset nonce context %llu", nc_id);
119 }
120 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
121
122 return TRUE;
123 }
124 return FALSE;
125 }
126
127 METHOD(tkm_keymat_t, derive_child_keys, bool,
128 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
129 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
130 chunk_t *encr_r, chunk_t *integ_r)
131 {
132 DBG1(DBG_CHD, "deriving child keys");
133 return this->proxy->derive_child_keys(this->proxy, proposal, dh, nonce_i,
134 nonce_r, encr_i, integ_i, encr_r, integ_r);
135 }
136
137 METHOD(keymat_t, get_aead, aead_t*,
138 private_tkm_keymat_t *this, bool in)
139 {
140 DBG1(DBG_IKE, "returning aead transform");
141 return this->proxy->keymat.get_aead(&this->proxy->keymat, in);
142 }
143
144 METHOD(tkm_keymat_t, get_auth_octets, bool,
145 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
146 chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
147 {
148 DBG1(DBG_IKE, "returning auth octets");
149 return this->proxy->get_auth_octets(this->proxy, verify, ike_sa_init, nonce,
150 id, reserved, octets);
151 }
152
153 METHOD(tkm_keymat_t, get_skd, pseudo_random_function_t,
154 private_tkm_keymat_t *this, chunk_t *skd)
155 {
156 DBG1(DBG_IKE, "returning skd");
157 return this->proxy->get_skd(this->proxy, skd);
158 }
159
160 METHOD(tkm_keymat_t, get_psk_sig, bool,
161 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
162 chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
163 {
164 DBG1(DBG_IKE, "returning PSK signature");
165 return this->proxy->get_psk_sig(this->proxy, verify, ike_sa_init, nonce,
166 secret, id, reserved, sig);
167 }
168
169 METHOD(keymat_t, destroy, void,
170 private_tkm_keymat_t *this)
171 {
172 free(this);
173 }
174
175 /**
176 * See header.
177 */
178 tkm_keymat_t *tkm_keymat_create(bool initiator)
179 {
180 private_tkm_keymat_t *this;
181
182 INIT(this,
183 .public = {
184 .keymat = {
185 .get_version = _get_version,
186 .create_dh = _create_dh,
187 .create_nonce_gen = _create_nonce_gen,
188 .get_aead = _get_aead,
189 .destroy = _destroy,
190 },
191 .derive_ike_keys = _derive_ike_keys,
192 .derive_child_keys = _derive_child_keys,
193 .get_skd = _get_skd,
194 .get_auth_octets = _get_auth_octets,
195 .get_psk_sig = _get_psk_sig,
196 },
197 .initiator = initiator,
198 .proxy = keymat_v2_create(initiator),
199 );
200
201 return &this->public;
202 }